-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf
54 lines (41 loc) · 1.77 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# HTTPS server
server {
listen 8443;
location /.well-known {
alias /usr/share/nginx/html;
}
location / {
root /usr/share/nginx/html;
index security.txt;
}
add_header Content-Security-Policy "default-src 'none'; img-src 'self'; upgrade-insecure-requests; report-uri https://report-uri.bigbank.eu/csp;";
# Specify that this site should always be loaded over HTTPS
# See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains;";
add_header Expect-CT 'enforce, max-age=2592000, report-uri="https://report-uri.bigbank.eu/ct';
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
add_header X-Frame-Options SAMEORIGIN;
# Hide Nginx version number from headers
server_tokens off;
# Disable content-type sniffing on some browsers.
add_header X-Content-Type-Options nosniff;
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block";
# Do not send the HTTP 'Referer' header to outside domains
# See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
add_header Referrer-Policy strict-origin-when-cross-origin;
}
# HTTP server (local testing)
server {
listen 8080;
location /.well-known {
alias /usr/share/nginx/html;
}
location / {
root /usr/share/nginx/html;
index security.txt;
}
}